audit log for "setenforce" changes?
Chuck Anderson
cra at WPI.EDU
Mon Jan 14 19:23:32 UTC 2008
On Mon, Jan 14, 2008 at 01:46:17PM -0500, Stephen Smalley wrote:
> load_policy doesn't touch the enforcing status.
>
> > Anyway, you have some serious labeling issue there in /var...
> >
> > try restorecon -R /var
The labelleing issues I would (perhaps incorrectly) expect from
running SELinux in permissive mode. I decided to relabel and reboot
into enforcing mode. What a disaster. The system couldn't boot
enough to run the "fixfiles restore" from /etc/rc.sysinit, not even in
single user mode. I had to eventually boot into single user mode with
the selinux=0 kernel parameter and run "fixfiles restore" manully.
Then I discovered that somehow a bunch of bogus "unconfined" entries
had appeared in
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:
#
#
# User-specific file contexts, generated via libsemanage
# use semanage command to manage system users to change the file_context
#
#
#
# Home Context for user unconfined_u
#
/etc/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
/etc/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
/etc/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/etc/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/etc/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
/etc/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/etc/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/etc/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
/etc/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
/etc/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
/etc/lost\+found/.* <<none>>
/etc -d system_u:object_r:home_root_t:s0
/etc/\.journal <<none>>
/etc/lost\+found -d system_u:object_r:lost_found_t:s0
#
# Home Context for user unconfined_u
#
/home/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
/home/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
/home/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/home/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/home/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
/home/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/home/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/home/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/home/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/home/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/home/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/home/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/home/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
/home/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
/home/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
/home/lost\+found/.* <<none>>
/home -d system_u:object_r:home_root_t:s0
/home/\.journal <<none>>
/home/lost\+found -d system_u:object_r:lost_found_t:s0
#
# Home Context for user unconfined_u
#
/opt/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
/opt/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
/opt/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/opt/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/opt/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
/opt/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/opt/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/opt/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
/opt/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
/opt/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
/opt/lost\+found/.* <<none>>
/opt -d system_u:object_r:home_root_t:s0
/opt/\.journal <<none>>
/opt/lost\+found -d system_u:object_r:lost_found_t:s0
#
# Home Context for user unconfined_u
#
/usr/libexec/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
/usr/libexec/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
/usr/libexec/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
/usr/libexec/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
/usr/libexec/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
/usr/libexec/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
/usr/libexec/lost\+found/.* <<none>>
/usr/libexec -d system_u:object_r:home_root_t:s0
/usr/libexec/\.journal <<none>>
/usr/libexec/lost\+found -d system_u:object_r:lost_found_t:s0
#
# Home Context for user unconfined_u
#
/var/log/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
/var/log/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
/var/log/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/var/log/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/var/log/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
/var/log/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/var/log/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
/var/log/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
/var/log/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
/var/log/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
/var/log/lost\+found/.* <<none>>
/var/log -d system_u:object_r:home_root_t:s0
/var/log/\.journal <<none>>
/var/log/lost\+found -d system_u:object_r:lost_found_t:s0
/tmp/gconfd-.* -d unconfined_u:object_r:unconfined_tmp_t:s0
#
# Home Context for user root
#
/root/.+ root:object_r:sysadm_home_t:s0
/root/.gnome2(/.*)? root:object_r:sysadm_gnome_home_t:s0
/root/.*/plugins/nprhapengine\.so.* -- root:object_r:textrel_shlib_t:s0
/root/.*/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0
/root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_sysadm_content_t:s0
/root/\.ssh(/.*)? root:object_r:sysadm_home_ssh_t:s0
/root/\.uml(/.*)? root:object_r:sysadm_uml_rw_t:s0
/root/\.java(/.*)? root:object_r:sysadm_mozilla_home_t:s0
/root/\.xauth.* -- root:object_r:sysadm_xauth_home_t:s0
/root/\.fonts(/.*)? root:object_r:sysadm_fonts_t:s0
/root/\.pyzor(/.*)? root:object_r:sysadm_pyzor_home_t:s0
/root/\.razor(/.*)? root:object_r:sysadm_razor_home_t:s0
/root/vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0
/root/\.galeon(/.*)? root:object_r:sysadm_mozilla_home_t:s0
/root/\.vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0
/root/\.vmware[^/]*/.*\.cfg -- root:object_r:sysadm_vmware_conf_t:s0
/root/\.mozilla(/.*)? root:object_r:sysadm_mozilla_home_t:s0
/root/\.phoenix(/.*)? root:object_r:sysadm_mozilla_home_t:s0
/root/\.mplayer(/.*)? root:object_r:sysadm_mplayer_home_t:s0
/root/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0
/root/\.ethereal(/.*)? root:object_r:sysadm_ethereal_home_t:s0
/root/\.netscape(/.*)? root:object_r:sysadm_mozilla_home_t:s0
/root/\.Xauthority.* -- root:object_r:sysadm_xauth_home_t:s0
/root/\.fonts/auto(/.*)? root:object_r:sysadm_fonts_cache_t:s0
/root/\.gstreamer-.*/[^/]*\.so.* -- root:object_r:textrel_shlib_t:s0
/root/\.config/gtk-.* root:object_r:sysadm_gnome_home_t:s0
/root/\.fonts\.cache-.* -- root:object_r:sysadm_fonts_cache_t:s0
/root/\.ICEauthority.* -- root:object_r:sysadm_iceauth_home_t:s0
/root/\.spamassassin(/.*)? root:object_r:sysadm_spamassassin_home_t:s0
/root -d root:object_r:sysadm_home_dir_t:s0
/root -l root:object_r:sysadm_home_dir_t:s0
/root/\.ircmotd -- root:object_r:sysadm_irc_home_t:s0
/root/\.screenrc -- root:object_r:sysadm_screen_ro_home_t:s0
/root/\.fonts\.conf -- root:object_r:sysadm_fonts_config_t:s0
/tmp/gconfd-root -d root:object_r:sysadm_tmp_t:s0
I deleted all the sections head up with "Home Context for user
unconfined_u" then re-ran "fixfiles restore".
The conclusion I draw is that running SELinux in permissive mode for
an extended period of time isn't well supported at all, and shouldn't
be recommended ever. Perhaps more testing should go into running a
system in permissive mode while yum updates apply selinux packages,
etc. to find these types of issues.
More information about the fedora-selinux-list
mailing list